Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 814983 - yum install fails in FIPS mode
Summary: yum install fails in FIPS mode
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: yum
Version: 5.9
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: James Antill
QA Contact: BaseOS QE Security Team
Depends On:
TreeView+ depends on / blocked
Reported: 2012-04-21 21:04 UTC by Miroslav Vadkerti
Modified: 2014-01-21 06:25 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-04-23 12:43:38 UTC
Target Upstream Version:

Attachments (Terms of Use)
[PATCH] vlan: filter device events on bonds (deleted)
2012-07-20 19:59 UTC, Neil Horman
no flags Details | Diff

Description Miroslav Vadkerti 2012-04-21 21:04:33 UTC
Description of problem:
yum install fails in FIPS mode (see reproducer)

# yum -y reinstall openssl
malloc: using debugging hooks
 	Loaded plugins: katello, product-id, rhnplugin, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
Setting up Reinstall Process
digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored

Version-Release number of selected component (if applicable):

How reproducible:
100% on i386

Steps to Reproduce:
1. Install EL5.8
2. Remove prelink
# prelink -u -a
# yum -y 
3. Switch to FIPS
4. yum install anything
Actual results:
digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored

Expected results:
No error and yum works

Additional info:
I assume this is a yum issue, but feel free to reassign to openssl in needed.
Tested onlu on i386 architecture. Tested also with older openssl, doesn't seem to be a regression in openssl (found while testing openssl ASYNC)

Comment 1 Karel Srot 2012-04-23 08:12:32 UTC
Just for reference the RHEL6 fixed bug is bug 541974.

Comment 2 James Antill 2012-04-23 12:43:38 UTC
 I'm sure this was discussed in previous bugs ... the problems are:

1. If the repos. you are using have MD5 checksumed metadata ... yum will need to call MD5.

2. It's possible there are still bugs where yum calls MD5 routines where it doesn't need to, esp. in RHEL-5.

2. OpenSSL MD5 calls abort() in FIPS mode ... even if the usage was not in a security context.

Comment 3 Neil Horman 2012-07-20 19:59:49 UTC
Created attachment 599453 [details]
[PATCH] vlan: filter device events on bonds

Since bond masters and slaves only have separate vlan groups now, the
vlan_device_event handler has to be taught to ignore network events from slave
devices when they're truly attached to the bond master.  We do this by looking
up the network device of a given vide on both the slave and its master.  if they
match, then we're processing an event for a physical device that we don't really
care about (since the masters events are realy what we're interested in.

This patch adds that comparison, and allows us to filter those slave events that
the vlan code should ignore.
 net/8021q/vlan.c |   64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 64 insertions(+), 0 deletions(-)

Comment 4 Neil Horman 2012-07-20 20:02:23 UTC
sorry, wrong bug, ignore last post

Note You need to log in before you can comment on or make changes to this bug.